Full Report
SecAlliance and Silent Push confirmed that the suspected Chinese operators of the phishing kit appear to have been affected. The post Google, researchers see signs that Lighthouse text scammers disrupted after lawsuit appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Lighthouse Operators / Smishing Triad Syndicate
## Attribution & Identity
* **Primary Affiliation:** Suspected Chinese operators of the Lighthouse phishing kit.
* **Associated Group Alias:** Members of the syndicate are known by the name **Smishing Triad**.
## Activity Summary
The operators utilize the **Lighthouse phishing kit** to distribute widespread SMS phishing ("smishing") campaigns. The summary notes that operations appear to have been disrupted following a lawsuit filed by Google aimed at the creators. SecAlliance and Silent Push observed signs of disruption, including the deletion/take-down of associated Telegram channels and domains ceasing to resolve DNS requests.
## Tactics, Techniques & Procedures
* **Smishing:** Prolific SMS phishing platform operation.
* **Kit Distribution:** Use of the "Lighthouse" phishing kit, sometimes referred to as "phishing for dummies."
* **Communication:** Correspondence among members occurred on **Telegram channels**.
* **Infrastructure Takedown:** Observable disruption indicated by associated domains ceasing DNS resolution and Telegram channels being deleted due to Terms of Service violations.
* **Associated MITRE ATT&CK Techniques (Inferred from Smishing context):** Phishing (T1566) via SMS.
## Targeting
* **Sectors:** General consumer base targeted via public infrastructure scams.
* **Geography:** Targeting operations appear focused on the US, based on the examples cited.
* **Victims:** General consumers targeted by specific scams, including those impersonating:
* E-Z Pass (toll payment service)
* U.S. Postal Service (USPS)
## Tools & Infrastructure
* **Malware/Kits:** Lighthouse phishing kit.
* **Infrastructure:**
* Telegram channels (since deleted/taken down).
* Various domains historically associated with Lighthouse infrastructure (some confirmed inactive/no longer resolving).
## Implications
The disruption of the Lighthouse operation following legal action by a major technology provider (Google) suggests a successful legal/technical strategy to dismantle criminal infrastructure. However, researchers note that other websites are still using Lighthouse kit code, and other kits used by the broader Smishing Triad may still be active, suggesting the *ecosystem* is not entirely eradicated.
## Mitigations
* Continued monitoring of infrastructure associated with the Smishing Triad.
* Tracking of backend changes or the emergence of replacement phishing kits.
* Defense against smishing/vishing attacks impersonating critical services (e.g., tolling agencies, postal services).